Malware Analysis Report

2024-10-24 18:16

Sample ID 240607-bl8gwsfa4x
Target 2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike
SHA256 c7e75e49e6ce4ba7f1325c826df12099205f492943ea41c5c89879f30d0d0ef2
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7e75e49e6ce4ba7f1325c826df12099205f492943ea41c5c89879f30d0d0ef2

Threat Level: Known bad

The file 2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

UPX dump on OEP (original entry point)

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 01:16

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 01:15

Reported

2024-06-07 01:18

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZNlmqwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xbIuwfj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TrnxrST.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zSCupId.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ibNaHRp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bKHmSWv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YFXxtem.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGTYFJu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qQpbixQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mhSSQnS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bVmoqax.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NcNUaxg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Phqcknz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bMhLOJO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QlmAqjL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fYJyErh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nQNuJbo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JgxMPKy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nttDhBt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nJXlHjA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vUKhewg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcNUaxg.exe
PID 2204 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\NcNUaxg.exe
PID 2204 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFXxtem.exe
PID 2204 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\YFXxtem.exe
PID 2204 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbIuwfj.exe
PID 2204 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\xbIuwfj.exe
PID 2204 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQNuJbo.exe
PID 2204 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nQNuJbo.exe
PID 2204 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGTYFJu.exe
PID 2204 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGTYFJu.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrnxrST.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\TrnxrST.exe
PID 2204 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\Phqcknz.exe
PID 2204 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\Phqcknz.exe
PID 2204 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgxMPKy.exe
PID 2204 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\JgxMPKy.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMhLOJO.exe
PID 2204 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bMhLOJO.exe
PID 2204 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nttDhBt.exe
PID 2204 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nttDhBt.exe
PID 2204 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQpbixQ.exe
PID 2204 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\qQpbixQ.exe
PID 2204 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlmAqjL.exe
PID 2204 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QlmAqjL.exe
PID 2204 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\fYJyErh.exe
PID 2204 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\fYJyErh.exe
PID 2204 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bVmoqax.exe
PID 2204 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bVmoqax.exe
PID 2204 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\mhSSQnS.exe
PID 2204 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\mhSSQnS.exe
PID 2204 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJXlHjA.exe
PID 2204 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJXlHjA.exe
PID 2204 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSCupId.exe
PID 2204 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\zSCupId.exe
PID 2204 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibNaHRp.exe
PID 2204 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ibNaHRp.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKHmSWv.exe
PID 2204 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\bKHmSWv.exe
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNlmqwk.exe
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZNlmqwk.exe
PID 2204 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUKhewg.exe
PID 2204 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\vUKhewg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\NcNUaxg.exe

C:\Windows\System\NcNUaxg.exe

C:\Windows\System\YFXxtem.exe

C:\Windows\System\YFXxtem.exe

C:\Windows\System\xbIuwfj.exe

C:\Windows\System\xbIuwfj.exe

C:\Windows\System\nQNuJbo.exe

C:\Windows\System\nQNuJbo.exe

C:\Windows\System\eGTYFJu.exe

C:\Windows\System\eGTYFJu.exe

C:\Windows\System\TrnxrST.exe

C:\Windows\System\TrnxrST.exe

C:\Windows\System\Phqcknz.exe

C:\Windows\System\Phqcknz.exe

C:\Windows\System\JgxMPKy.exe

C:\Windows\System\JgxMPKy.exe

C:\Windows\System\bMhLOJO.exe

C:\Windows\System\bMhLOJO.exe

C:\Windows\System\nttDhBt.exe

C:\Windows\System\nttDhBt.exe

C:\Windows\System\qQpbixQ.exe

C:\Windows\System\qQpbixQ.exe

C:\Windows\System\QlmAqjL.exe

C:\Windows\System\QlmAqjL.exe

C:\Windows\System\fYJyErh.exe

C:\Windows\System\fYJyErh.exe

C:\Windows\System\bVmoqax.exe

C:\Windows\System\bVmoqax.exe

C:\Windows\System\mhSSQnS.exe

C:\Windows\System\mhSSQnS.exe

C:\Windows\System\nJXlHjA.exe

C:\Windows\System\nJXlHjA.exe

C:\Windows\System\zSCupId.exe

C:\Windows\System\zSCupId.exe

C:\Windows\System\ibNaHRp.exe

C:\Windows\System\ibNaHRp.exe

C:\Windows\System\bKHmSWv.exe

C:\Windows\System\bKHmSWv.exe

C:\Windows\System\ZNlmqwk.exe

C:\Windows\System\ZNlmqwk.exe

C:\Windows\System\vUKhewg.exe

C:\Windows\System\vUKhewg.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2204-0-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp

memory/2204-1-0x000001C5771D0000-0x000001C5771E0000-memory.dmp

C:\Windows\System\NcNUaxg.exe

MD5 682d9bfa2cf17bc3863ca78c9a5485d2
SHA1 714aa31d5f2b8b1c2c0abf42876c76fc803d0f02
SHA256 b7943820c5f9f112b8aecdedfb2cea72fc54ac7f68b27ffd866dee33248b25f8
SHA512 8d3859801f3283c820f8267a8e1cb0b4fd194260d1d9b5e03102a0b393b919840adea088544be8fe06356fa0b37f6c8e449a88a1662068b5046cb0281e313836

memory/2996-8-0x00007FF641620000-0x00007FF641974000-memory.dmp

C:\Windows\System\YFXxtem.exe

MD5 9022d259f131f966aeb180532616e878
SHA1 d71d74ad68a8bc78022efc3d8ba90a7ccf56f252
SHA256 f923b0ea32c8e30590d89c94daa296e1be30afa8a01e564fc20d54e847dc24a8
SHA512 23ce4746997e7ed3b66d09180093a9d304634c316a23f805003b8f2ef50b8272352f2fe1fb146365fac09a8b6e5dcc7993a62e76a3480e88d7fa2ab87690952c

memory/1260-14-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

C:\Windows\System\xbIuwfj.exe

MD5 5e3c1c44eeaf0a234bfd932b352b8a82
SHA1 53404a534f7d691d869705d9b2e34c13d90f9bf2
SHA256 8b012b8f81fb711fd354725b9864181709bff6e3f30b0a9ccfd4e398eb715c80
SHA512 127876f9fed1d346f7428584ccdf4698b8b90d831ed4e221cec075c0d5e636e9227578d4fcce10298d4e1e724d08995d6e205dc1c575ab33e1040ff52fa3bfcc

memory/1360-20-0x00007FF702F10000-0x00007FF703264000-memory.dmp

C:\Windows\System\nQNuJbo.exe

MD5 e27b1bd88330f848ff603d5831461175
SHA1 5ca934f50e46589be53fd468a8bec763b178d467
SHA256 0e3ec72772d6fa7a0646273b95929a7a1a34eb3e9de06e6b8f0be438d4b0c050
SHA512 b578fe1e7a0279ff85996a95e55ea0a43ab3e73f358295c7dded57fa733eab788330d0e3824d29f21f6a62955aa219a2557e148cb379266ac8d4b3849a67c028

memory/4140-30-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

C:\Windows\System\eGTYFJu.exe

MD5 609c6cd78eb28215a896143da952753a
SHA1 b08702a22c1dfa4e852dcf5722f1f1f598b8ce16
SHA256 eb841194c5586627885e07c57ef33cff7c5153e1ef23787186728d1a1db675c2
SHA512 9cf5f317d9fd6641d585bd943720d261ec5c94ec925c64609025cdbcce6c6f8b2e158841bf03b2e8df0e50f01fbfd305e684c9835a6fc0b9be2860940b892c8b

memory/1420-24-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

C:\Windows\System\TrnxrST.exe

MD5 9ce62272e904d938e9b1ab52047b7bed
SHA1 de720a95c519dcc91d4a02c6db9b37f62262ee2c
SHA256 79bca4257c29962c9874b923b89a5a285718452b849e5e8492e4e49677cb9e72
SHA512 047fb0b5efc6adefcb01282833b0e34853652a1c5659011bbec2a909d23352be8a0044b996c829f4c70612ef2d7ed120ac30e98552277c9ba7c96eb8a0b580a0

C:\Windows\System\Phqcknz.exe

MD5 f6cdfb3d88537b367792cbd894bd98ed
SHA1 3d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA256 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA512 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

memory/3876-40-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

memory/2844-39-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

C:\Windows\System\Phqcknz.exe

MD5 77dba91fb3c2cde72cb349d9f90ca79c
SHA1 b84a9e63676a0ad38ca01ffd44702e7c9744ca69
SHA256 ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7
SHA512 7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c

C:\Windows\System\JgxMPKy.exe

MD5 dee06d50b85e0adbb81c826f01393706
SHA1 a2089d2a102ccd63e564d7242009bbfbb057966a
SHA256 fe6829f336b2a462dafc00c59dbde1e5dc937e75a9648b11ca6238cf981cddeb
SHA512 f4f2e65ffaec8b96f0d5104442f8cfba63c920dc762ef932430d6a73df9ae6eceb12051e3d50cebf33e0a398f756dabaa836fe4276eb9c7e172582dd45117d3f

memory/1220-48-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

C:\Windows\System\bMhLOJO.exe

MD5 1d51a6f9f8f706d40a78f27cac287065
SHA1 981c2096ede4558d1ebc91ef5d6ea849a5e05a26
SHA256 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1
SHA512 f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

C:\Windows\System\bMhLOJO.exe

MD5 90a4690536f61f808cdff28f40c8d1e1
SHA1 cb625ea686b2a7df3f1a5cd20c5b66ac2ea0c334
SHA256 2943994b0fb447066264ab603c5a5419c9f5dec85d3d5cb5301468a058263250
SHA512 595b639d216ba7e16b61287c1fe4f2bf03878af722b289433e2de078b3345e4d3b0bd651d2027774246e33832a21b42687ca5334380e4e0597d04393e368db06

C:\Windows\System\nttDhBt.exe

MD5 542e3838428bc1dab5c5b1311e6a64a8
SHA1 626c0f29c4043b2b324639aade2ca33c5b4ea25e
SHA256 843f2ed5321c4686686af30027ce1830054d4dd5e404be2b4731af8043a16e4b
SHA512 6b4d8f7d176b4382761b0dad5e950badc4e4a8c4fbafa6fc1b15a97f6ea41d53d3dde77fc6ed5659b0d8372c5f0ddef6e06f59f81ba4d2b9c65009728caacadc

memory/2204-61-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp

C:\Windows\System\qQpbixQ.exe

MD5 24c799f31d37f20e6a45c663fbd4bc7f
SHA1 0cdada5f4e38dff8963b02508333bebaf72858f2
SHA256 9b0d3f5d7d20a63ff0fb7eea26a84e1630e8c1550a003b6a57d0854bb738b4a1
SHA512 93ba72472259ae15d57cc8534988af6fcce1cab4d83bab2dbd800ddee22cad65dbc1b640eaba9e228c09188817384fa879907fc4404254b2a1c4aecaad44644c

memory/4288-64-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

memory/2656-56-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp

C:\Windows\System\QlmAqjL.exe

MD5 e57318a63971361a76a0a00d9b4ea356
SHA1 bcbb1d386880cdb0c47dbb78c72c9e0c7b42af3f
SHA256 26bb691ef68c214044385a52a6635445b6438fd9de6b112687eefbe01cac5fcc
SHA512 6888e5c051cd3f80c98da0a2943314be2dd98c855fc187b93f67188d909ba52c1ebfe577beea983c76a7a5ebbfebd0ad630b623d5fc90c3d3a0f5c4f02fea787

C:\Windows\System\fYJyErh.exe

MD5 92dc21b361752419e6944ac5c8abc595
SHA1 7181951bddbed2aff92587e9e876b1f55eda0f92
SHA256 b8df1882bd0627671ce8c9369326fc8c01cd62394659eb8861bb632c603944a4
SHA512 fed79a0e3522eee9785a584c043d6726b2dea4086f3f819f081520836dee43de8729dcda39969cbf33595127099bea127d5dd024e587b97524f618b59f5f1ebd

C:\Windows\System\mhSSQnS.exe

MD5 57aa48d8406671d0dcb7c9379e86902d
SHA1 a3393915b790f3d46d5f4f0ee1765b1851a89067
SHA256 edba9c49f2618bc2613feccac26fe6d9275be87468e868ba1dbbedb8142820f4
SHA512 650ba3fd40bf4ae1edd26670d310bb37fe65ec957228c14605577aa7280f5cde3844305b3c44eaa3522116094007f8c760e23a977afeac979fa55e7a4e592c9d

C:\Windows\System\nJXlHjA.exe

MD5 79b8ed996143e47c4d663690f2e02df2
SHA1 bb5ece110f91c853b61537d4379241e05fa197f9
SHA256 204f50135dd3542de480a34086f76dc1412dc0dca3b7950d3c41d21dc390b28f
SHA512 fa41037c4af41479df1c9770312fbf3ee5f5f6a691d400f8d6b85cf8964deb3910319c693c0063403c56e62c87c12ae62ac5a0f3a4926b0b4679db71abf02085

C:\Windows\System\bKHmSWv.exe

MD5 e31c581003e51523ef8cd76a84783dc2
SHA1 ecf4a6ca2861b7aeff73f9a776969bc4be912382
SHA256 69b15f7d15aacc6f29671c5a318c5c563db20a1b80a606f911f4a94741be7319
SHA512 75c9a26817d2b36ceb1759147fd4b1e5d06c5c9bcf76971ca453c7dc62a29bb067102cededf204d641b4d4e09e478458d96164be8842cb56cc0f6eb259de91cc

C:\Windows\System\bKHmSWv.exe

MD5 e8c4508a392ccf08590d3627a36cc3c3
SHA1 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256 cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512 f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

C:\Windows\System\vUKhewg.exe

MD5 39e0b48602867ba7a27259b41e502711
SHA1 2f5f932002a96d3516884f572deb44a213792601
SHA256 d17cd61ffe37d78fd2b29b96e1c45ec2f3e57ad4c634f55474932229eb1dac3c
SHA512 d4bd0ad2169cefad8271031a22ec7f54ea99c2d7d6bd97ade92aea5c1e8060a0e1344f5be0daacd02add2f320a2988e5aae130008312f6c44075ad1ae20ae50d

C:\Windows\System\ZNlmqwk.exe

MD5 46cef478b7258c8fedd6e4c8110b10ed
SHA1 425d93655f35af25a5187a10036b4d3779d97f7d
SHA256 affd811a828cfe87059a63716187acd3e7a2864ef7d13829c4645fee918039dd
SHA512 28fe0449b8a6cab5216d505b7b65b144b19519b573d322893130e12a17672079c2816fc760bc31ad52a7127a5a2273f3d32354e17f2228c77ee0b9fea9781673

C:\Windows\System\ibNaHRp.exe

MD5 340992a7237dc521f419e3733452a17e
SHA1 928110cb51f67d90406b7785809ef282a747a514
SHA256 f15129a60de0c6e61092fd67d235db992807e02235487b180d74638c9e9592ea
SHA512 cb114b6aaa2ccdcf6e7c221832ef4537a1cc68880a90aeda26faef234c8cbd96f66939aaabce99246f7a915b7f0a2fed901a8443afbd629c13bb1759c9bc37d1

C:\Windows\System\zSCupId.exe

MD5 cf313fd3567660358188c59a0a20f444
SHA1 8632dac699892a62b347b390d451e31b8da6b7a2
SHA256 bdabd7afb3def616db7c79fd00c9940f52ea72dbe1ae83556070f60b0a8d097d
SHA512 76a5fac08caae91c1e4e9ec14c5cbac879cb012a5fb81ef0d12af0f3e9364b89a2676846187a24e57ea761fed334c621fb13cb54ad0b9ba008e40042d35f58b1

C:\Windows\System\bVmoqax.exe

MD5 42392c99db77f9e2b1b77943876acc96
SHA1 6e3d690eb2b4987a43047d9c6aaf0b8ff703968a
SHA256 fb22aec338479d5a72173cfa3358659080bb225f575c580438bbf1beae2a660f
SHA512 961075aa266abd7b91ced28cc1ac3a770e01aee71a2faca3bfdc0a52c30734be616a16fd5830473776fa54ff599db8801b587fc29addd608d36cf9702c8e4914

C:\Windows\System\QlmAqjL.exe

MD5 2130f4461ba7262c4b9569c7ad362fbe
SHA1 477f7cc69e47cdff19a52b2da61a04f2127580e1
SHA256 f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025
SHA512 bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703

memory/2644-120-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp

memory/3144-119-0x00007FF799330000-0x00007FF799684000-memory.dmp

memory/4752-122-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp

memory/4092-123-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp

memory/4236-125-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp

memory/3068-124-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp

memory/684-121-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp

memory/1872-118-0x00007FF63E430000-0x00007FF63E784000-memory.dmp

memory/1356-126-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp

memory/1848-127-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

memory/2180-128-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp

memory/1260-129-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

memory/1360-130-0x00007FF702F10000-0x00007FF703264000-memory.dmp

memory/1420-131-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

memory/2844-133-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

memory/4140-132-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

memory/3876-134-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

memory/1220-135-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

memory/2996-136-0x00007FF641620000-0x00007FF641974000-memory.dmp

memory/1260-137-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

memory/1360-138-0x00007FF702F10000-0x00007FF703264000-memory.dmp

memory/1420-139-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

memory/4140-140-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

memory/2844-142-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

memory/3876-141-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

memory/1220-143-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

memory/2656-144-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp

memory/4288-145-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

memory/1872-146-0x00007FF63E430000-0x00007FF63E784000-memory.dmp

memory/3144-147-0x00007FF799330000-0x00007FF799684000-memory.dmp

memory/2644-148-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp

memory/684-149-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp

memory/4752-150-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp

memory/4092-151-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp

memory/3068-152-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp

memory/4236-153-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp

memory/1356-154-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp

memory/1848-156-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

memory/2180-155-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 01:15

Reported

2024-06-07 01:18

Platform

win7-20240215-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MxJKnKV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KVDItAf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\EWdpqvx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QhIJdkH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rYMQKHV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZcpwirM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KAtpHeo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OkhPnVg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FRbjozv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pdHZUwe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nIpcUZi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WlihAIF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iJpKTfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lfiTzsk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FEtsAGq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QLqSKBV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZPteklv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GHhJkCb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OfWdjbz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TKcmYxQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jbCSXlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAtpHeo.exe
PID 1656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAtpHeo.exe
PID 1656 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KAtpHeo.exe
PID 1656 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWdpqvx.exe
PID 1656 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWdpqvx.exe
PID 1656 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\EWdpqvx.exe
PID 1656 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkhPnVg.exe
PID 1656 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkhPnVg.exe
PID 1656 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OkhPnVg.exe
PID 1656 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRbjozv.exe
PID 1656 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRbjozv.exe
PID 1656 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FRbjozv.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfWdjbz.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfWdjbz.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\OfWdjbz.exe
PID 1656 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhIJdkH.exe
PID 1656 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhIJdkH.exe
PID 1656 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QhIJdkH.exe
PID 1656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEtsAGq.exe
PID 1656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEtsAGq.exe
PID 1656 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\FEtsAGq.exe
PID 1656 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYMQKHV.exe
PID 1656 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYMQKHV.exe
PID 1656 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\rYMQKHV.exe
PID 1656 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcpwirM.exe
PID 1656 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcpwirM.exe
PID 1656 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZcpwirM.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKcmYxQ.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKcmYxQ.exe
PID 1656 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\TKcmYxQ.exe
PID 1656 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxJKnKV.exe
PID 1656 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxJKnKV.exe
PID 1656 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\MxJKnKV.exe
PID 1656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLqSKBV.exe
PID 1656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLqSKBV.exe
PID 1656 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\QLqSKBV.exe
PID 1656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPteklv.exe
PID 1656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPteklv.exe
PID 1656 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZPteklv.exe
PID 1656 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\GHhJkCb.exe
PID 1656 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\GHhJkCb.exe
PID 1656 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\GHhJkCb.exe
PID 1656 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIpcUZi.exe
PID 1656 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIpcUZi.exe
PID 1656 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\nIpcUZi.exe
PID 1656 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\WlihAIF.exe
PID 1656 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\WlihAIF.exe
PID 1656 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\WlihAIF.exe
PID 1656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJpKTfy.exe
PID 1656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJpKTfy.exe
PID 1656 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\iJpKTfy.exe
PID 1656 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfiTzsk.exe
PID 1656 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfiTzsk.exe
PID 1656 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\lfiTzsk.exe
PID 1656 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pdHZUwe.exe
PID 1656 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pdHZUwe.exe
PID 1656 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\pdHZUwe.exe
PID 1656 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KVDItAf.exe
PID 1656 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KVDItAf.exe
PID 1656 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\KVDItAf.exe
PID 1656 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbCSXlQ.exe
PID 1656 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbCSXlQ.exe
PID 1656 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe C:\Windows\System\jbCSXlQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\KAtpHeo.exe

C:\Windows\System\KAtpHeo.exe

C:\Windows\System\EWdpqvx.exe

C:\Windows\System\EWdpqvx.exe

C:\Windows\System\OkhPnVg.exe

C:\Windows\System\OkhPnVg.exe

C:\Windows\System\FRbjozv.exe

C:\Windows\System\FRbjozv.exe

C:\Windows\System\OfWdjbz.exe

C:\Windows\System\OfWdjbz.exe

C:\Windows\System\QhIJdkH.exe

C:\Windows\System\QhIJdkH.exe

C:\Windows\System\FEtsAGq.exe

C:\Windows\System\FEtsAGq.exe

C:\Windows\System\rYMQKHV.exe

C:\Windows\System\rYMQKHV.exe

C:\Windows\System\ZcpwirM.exe

C:\Windows\System\ZcpwirM.exe

C:\Windows\System\TKcmYxQ.exe

C:\Windows\System\TKcmYxQ.exe

C:\Windows\System\MxJKnKV.exe

C:\Windows\System\MxJKnKV.exe

C:\Windows\System\QLqSKBV.exe

C:\Windows\System\QLqSKBV.exe

C:\Windows\System\ZPteklv.exe

C:\Windows\System\ZPteklv.exe

C:\Windows\System\GHhJkCb.exe

C:\Windows\System\GHhJkCb.exe

C:\Windows\System\nIpcUZi.exe

C:\Windows\System\nIpcUZi.exe

C:\Windows\System\WlihAIF.exe

C:\Windows\System\WlihAIF.exe

C:\Windows\System\iJpKTfy.exe

C:\Windows\System\iJpKTfy.exe

C:\Windows\System\lfiTzsk.exe

C:\Windows\System\lfiTzsk.exe

C:\Windows\System\pdHZUwe.exe

C:\Windows\System\pdHZUwe.exe

C:\Windows\System\KVDItAf.exe

C:\Windows\System\KVDItAf.exe

C:\Windows\System\jbCSXlQ.exe

C:\Windows\System\jbCSXlQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1656-0-0x000000013F190000-0x000000013F4E4000-memory.dmp

\Windows\system\KAtpHeo.exe

MD5 137b4632c6fa6caa35bb8488c1383ff6
SHA1 d2c1314aec40c9b823727b1930db8991328c2dcb
SHA256 fa1a78144209618632d04624cc310934555ed0840752e2ad123c1f543bd13530
SHA512 192d7a788782f879c5db1b8108fb9225dcfd0ff6806a762cfd27096071e4677e54a44b9359682abf2698a4de1d6052c91c38ea46ae57459b1d463f487386347f

memory/1656-14-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1840-20-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1656-29-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\FEtsAGq.exe

MD5 5e166a59485363ca202f374973ce1f0b
SHA1 2f50543166302dbdd4afa683b775713b34a7d61e
SHA256 deb2bc30f9f51b1dac1327460b91a5ff21e5e5eea248b8ddfca074bf8dc7a080
SHA512 d3d46915fc28ae6834b736cb1eddf2b9ea58f3289d931612ca0eb652c8fe14eef13ec62b65cbf4cfd7179ffb9b2cc2a526b85ff417d34610c38285e8a2e4b72c

memory/2512-50-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\TKcmYxQ.exe

MD5 dfa6bead5a2341ff46d65afde31f7e7e
SHA1 63ab3236e432490090d230ec05fe321a1e453a5a
SHA256 377f3c6d4020dfee545d6a935972f9b4cf9130592b2871e63a6d567cbd1b0901
SHA512 8bef533a9179c14940759d132574871da934df051a76c11f0f8bdb54af1ea3b65262e796b2771303d328810168030a6fe1014a0fcf14bdda27e3a6576c798e30

C:\Windows\system\QLqSKBV.exe

MD5 c3c877e2f8476dec54976a1321cb398f
SHA1 92719110d29946a35e4ec95d26c220102c5651c2
SHA256 fa210c9d3b2949606ee60c0d1a7156c618f6dd6ded2ac79ca621fdf27ff4879f
SHA512 9a71f028f0dd998540c5385e45b7ede8ff875fba820f8442d488ac44781e9cd117ff1f50819b2ab94d6efa2e0dfe15efeb8460ae653de06015d83213d5489e95

C:\Windows\system\nIpcUZi.exe

MD5 984a8cf637fc9f46a5be1646493a183b
SHA1 eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA256 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512 f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

C:\Windows\system\lfiTzsk.exe

MD5 a7a14d49bc953262bedafd5c43a10886
SHA1 2195a99a107bb5bc22b21f3eb179e47c675e12e2
SHA256 196bc905f03a30d27975db95f62d1a7b9497d6decfb51ba49a2811f1f798130a
SHA512 7136aaa2959cb15e46f2560698aedde1e24034ff721844bb78f7aa8c481b68812ea2c996999adb06567f312fce810a44dca658f2813634d171274f7dfe9cb0b8

C:\Windows\system\jbCSXlQ.exe

MD5 0145c9755d81d30fb4ec1d1c480d34de
SHA1 e2ad7efcfa86686ecf4fb4e0087a5f06f4b146fc
SHA256 4192d38f23a04597761b2e44ffe415dcfe5b66aad334fd2c5772e540f87b687f
SHA512 4cb156bdbf96215b8b6f49156d7b6bc6e223fecdfbe7e2eaec8d8a2de9903bb2026e7f512664e26ee5a6a17a2ce246a89a7e6499aca79f5b6612bb220cd06315

memory/1656-123-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2144-125-0x000000013F510000-0x000000013F864000-memory.dmp

memory/624-126-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2464-127-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/1896-128-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/3000-124-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2372-121-0x000000013F880000-0x000000013FBD4000-memory.dmp

\Windows\system\KVDItAf.exe

MD5 362c3329786a74328a5d1e78b09bc0b8
SHA1 3968cae0e292942e273d4a3a84e5a16bbc10d181
SHA256 d87527856f6240ec171bd3673b42039bd4caaf1375a45be4f983fb699befa552
SHA512 0ace033f4ebfa89b30c0f817bae16f04e19da43f27ce89f50ff30e170af5963bb1e6fb50b9dc987ec7e18d4faabbee2e82f7add3a90a87964478e21918a4b2eb

memory/1656-111-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\pdHZUwe.exe

MD5 5442355d3b216d81a246f0b8be5361d5
SHA1 5dd01cefc17606714e9478472f7b2cdb8eee451e
SHA256 e52b689f2c61f5001745b9c516d51da6895db5e56e3d4dddac9fea574f6241ee
SHA512 34e22078cfc8aaa779314cccbda7ccce03acf053505ca20cb75594ed4ee76c438cf8660ef2d02f8e86783520ec28c1228e2e809927999ddd944c951db326f574

memory/1656-100-0x00000000023B0000-0x0000000002704000-memory.dmp

\Windows\system\iJpKTfy.exe

MD5 73c151880ed88ecab9096522ae8b9c1c
SHA1 c352378dbf5f40137fb4c743d9e39d5c9fe5987a
SHA256 6703b0bcf27335a01d128768154e4fc56883f437a02b65b8e325097715c7843f
SHA512 ae02004cfc22515c5293b285806caaa922c61257c7560ba5d6aa038d0c0b1c9ad529a62d16f27098b383721bc4c417125f65715001dc3bb5a203e83db585bfb5

C:\Windows\system\WlihAIF.exe

MD5 7df404d523b7047f2b691638f3ad9bec
SHA1 d89d6e9c0429ef069e2564d991b731ea24ac2da0
SHA256 9e67955f4c98317fde08450c206087b22fac1ce345aad2c349c97cd5f2a61c23
SHA512 a395ce34dd1d1ca9b2e363ab2281b8b03a77432052685368476cf41466b33ca74f565f906c9e597ea6e84b6efb3487a6d8c0db336b0300441e3be70ac8129a99

memory/1656-91-0x000000013FEE0000-0x0000000140234000-memory.dmp

C:\Windows\system\ZPteklv.exe

MD5 5f9fc3313ad8239691b5deecaf5c7caa
SHA1 f859e76b11c0f82c331b49fb953f4223658accc0
SHA256 253ccaa5858618b11b13a0bb7cf60447e5d4a6c5df63c11b2cfc180de46f5566
SHA512 c8999aeae22e61eb633522d7898efe60314ee5769679e54a6f6c673c5708f9c1b5010146e376da428412f35c224e77c330fa208a7eb2305c30163d83828db85a

\Windows\system\nIpcUZi.exe

MD5 f71f6b9a4943aac9340b0550039d814e
SHA1 9ec331b991f992b6cd9dd035d75a4232c94da1a8
SHA256 2798a5f324061c8f6f1fa67507c597da0cad9429201198fb58a66487b0d60d4d
SHA512 ba6edb70c22dc5ec284650e087ad81e122fb0c58442c4f1bb2def846e8bbef0279ca375c69447e3856018c0de19b1f8de3b9827c82768a0c8513daf62833408b

memory/2500-83-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\GHhJkCb.exe

MD5 5f20e56c7ef0190c0b2d69f24e511f69
SHA1 b8843f8b067d5f26d54424864da9b48a808c2017
SHA256 71fe72ea0a932e0c18ef2161ec021e38d06c64bbf3cd469fd0837440808a21bb
SHA512 7b185ac768dfef90858f931765b38d5b67c41206656ce139124c5678239c04fdbacf3494550ee6c393c11ff736a05f11f213929da5aef16e0ced9a252b9f34a1

C:\Windows\system\MxJKnKV.exe

MD5 32d1e8edb0e7e320435c9c9ed9824f50
SHA1 9d762eb606fabf0900103c15c4ac5769bf027565
SHA256 57b7fd80f8e8478bcafc38f2497d74ef4630cb32961902aa641a4da4637c6020
SHA512 0ab003f3061e46cfe045e37e2a9418619c23d3cea14565be48ac4abe5c6125ab7897d0580814a92a4ff0cbea15a9ae2dbdb2b9175a5c7cd7f4f91bb4f221b826

memory/2576-64-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2480-57-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\ZcpwirM.exe

MD5 a15d767e6587df8cd0df8abe1d6d45e2
SHA1 14aedde34fc1d543911e73e0bdc579fdbca5b38d
SHA256 8bb00d2133b63fdbbd8a1b8fae195a2c9c625a0ef388671a766eccfd6c368b13
SHA512 6d9dba883d77bcf6df3fd9c6245a764c8b100e7e5c5b0b1e9effbe5459d0239970652d1b5d33d1037fb654298f1ae1efbe45af7b2f90028c025e2ae0bc09cefb

memory/2376-51-0x000000013F070000-0x000000013F3C4000-memory.dmp

C:\Windows\system\rYMQKHV.exe

MD5 f24007af2490958ca58417311f0f6505
SHA1 cee2d5c286f1056d260b1cc9e50bc9bf5b3483b5
SHA256 b18d8563f4027e0fe7e552149f41dd90bd34663e016ee0aa673387de4c73b997
SHA512 c1ec2eeb6268ad0098f012ca6fdfa5a55230aea4391a4740031454e0fc9121d9c1d04be8e77cd5009b21aa56c7009c10b42abb80ec7fe92b131375a104c84843

memory/2640-44-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1656-38-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\OfWdjbz.exe

MD5 c0c5f12ecc1c5f06f62a0dca13ed393a
SHA1 e297a05aaa58e350b18f1a89b58ef5c0fde56c83
SHA256 9b21e10cffd7b09a212abd7cc6b00e4ef42b5aa806810bcdf972fc2b85716a53
SHA512 6e7db730973cb7940f0ade24744257fdfea7692c0664ae46dc90eeb87c498dda96ca0b578c56fcef32b13c9cc5f3b30aa8912a75ed507dd8333d607a4b00992c

\Windows\system\QhIJdkH.exe

MD5 b83358d59fda2bca38a1912fb7db243c
SHA1 52e255396c86d9b7a68274bacf6734978c947b63
SHA256 414f71d922b5f261500c5d61c8a6c906f0df11d3f00bd6b5928ec72ad9795401
SHA512 f062d92080640d93dad95ec46cbce12279feef44d83763e723c62bdde457db52b71b255d548e00bc288601b58580bb97f61b2a4451e4af9db8c496d554aeba21

C:\Windows\system\FRbjozv.exe

MD5 c5619678c383f56ff96f811ea02ce442
SHA1 93740a0aea711ddd1aaab6f790b286a8e47b965b
SHA256 562fd4fc5a7adb7f9fcb3ab7ac3fc22715f3d32936c1b020ccdaf1cdc51199e5
SHA512 c9b145277ee959b4b09ca2c17b7be17b75401e0402a2b5a8ed73b3737cddb0f6f74939450a21cdc70db097613452c3232443745653beca8f020a6a15af020854

memory/3056-22-0x000000013FF80000-0x00000001402D4000-memory.dmp

\Windows\system\OkhPnVg.exe

MD5 9ca825b8f7279fc2035131bca7a9067c
SHA1 d90dd3271e210e495c6cedd7d89fca61f1e1a140
SHA256 5c69badf547d49c04c705aa31f303a9b67e7862d3823ca1a68af663beb892cbe
SHA512 9c2e14d72418fb205baf0f3c8d8af8134429f2d3f8e52e09fb9bf8a424d66be76844076dd1bf009d31658261d26122fd45caa1d7d2b2f436db8ed867edde86ed

memory/1656-10-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\EWdpqvx.exe

MD5 f21ae6a4daead6d94060e066bb9e75a7
SHA1 4c8d3b48d69dc216b901f6db85e86a87ea279129
SHA256 32018fefd55c99af293ae64ec847005dfe53ffdad2fd07b98cc32c0112820fd7
SHA512 e08371aa191f6287b8bf03b99e0206817e53de51bf9ec0dde1d8e6dc0f57995cd65324de19c7bcd04a13f7cc1cacc5e01d17270ea0080988ba79106951009dae

memory/1656-1-0x0000000000080000-0x0000000000090000-memory.dmp

memory/1656-129-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/1656-130-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1656-131-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1656-132-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2480-135-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2376-140-0x000000013F070000-0x000000013F3C4000-memory.dmp

memory/624-146-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2144-145-0x000000013F510000-0x000000013F864000-memory.dmp

memory/3000-144-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/1896-143-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2372-142-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2464-141-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2512-139-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/2640-138-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2500-137-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2576-136-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/3056-134-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1840-133-0x000000013F8E0000-0x000000013FC34000-memory.dmp